Merge branch 'main' into feat/tests

README.md

@@ -1,74 +1,123 @@
-<h1 align="center">
-   EU Digital COVID Certificate Validation Decorator
-</h1>
-
-<p align="center">
-  <a href="https://github.com/eu-digital-green-certificates/dgca-validation-decorator/actions/workflows/ci-main.yml" title="ci-main.yml">
-    <img src="https://github.com/eu-digital-green-certificates/dgca-validation-decorator/actions/workflows/ci-main.yml/badge.svg">
-  </a>
-  <a href="/../../commits/" title="Last Commit">
-    <img src="https://img.shields.io/github/last-commit/eu-digital-green-certificates/dgca-validation-decorator?style=flat">
-  </a>
-  <a href="/../../issues" title="Open Issues">
-    <img src="https://img.shields.io/github/issues/eu-digital-green-certificates/dgca-validation-decorator?style=flat">
-  </a>
-  <a href="./LICENSE" title="License">
-    <img src="https://img.shields.io/badge/License-Apache%202.0-green.svg?style=flat">
-  </a>
-</p>
-
-<p align="center">
-  <a href="#about">About</a> •
-  <a href="#development">Development</a> •
-  <a href="#documentation">Documentation</a> •
-  <a href="#support-and-feedback">Support</a> •
-  <a href="#how-to-contribute">Contribute</a> •
-  <a href="#licensing">Licensing</a>
-</p>
-
-## About
-
-This repository contains the source code of the EU Digital COVID Certificate Validation Decorator.
-
-- [ ] TODO: Describe Component
-
-## Development
-
-### Prerequisites
-
-- [ ] TODO: Prerequisites
-
-### Build
-
-- [ ] TODO: Build
-
-## Documentation
-
-- [ ] TODO: Documentation
-
-## Support and feedback
-
-The following channels are available for discussions, feedback, and support requests:
-
-| Type                     | Channel                                                |
-| ------------------------ | ------------------------------------------------------ |
-| **Issues**    | <a href="/../../issues" title="Open Issues"><img src="https://img.shields.io/github/issues/eu-digital-green-certificates/dgca-validation-decorator?style=flat"></a>  |
-| **Other requests**    | <a href="mailto:[email protected]" title="Email DGC Team"><img src="https://img.shields.io/badge/email-DGC%20team-green?logo=mail.ru&style=flat-square&logoColor=white"></a>   |
-
-## How to contribute  
-
-Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, 
-as well as additional contribution information, see our [Contribution Guidelines](./CONTRIBUTING.md). By participating in this 
-project, you agree to abide by its [Code of Conduct](./CODE_OF_CONDUCT.md) at all times.
-
-## Licensing
-
-Copyright (C) 2021 T-Systems International GmbH and all other contributors
-
-Licensed under the **Apache License, Version 2.0** (the "License"); you may not use this file except in compliance with the License.
-
-You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.
-
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" 
-BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the [LICENSE](./LICENSE) for the specific 
-language governing permissions and limitations under the License.
+<h1 align="center">
+   EU Digital COVID Certificate Validation Decorator
+</h1>
+
+<p align="center">
+  <a href="https://github.com/eu-digital-green-certificates/dgca-validation-decorator/actions/workflows/ci-main.yml" title="ci-main.yml">
+    <img src="https://github.com/eu-digital-green-certificates/dgca-validation-decorator/actions/workflows/ci-main.yml/badge.svg">
+  </a>
+  <a href="/../../commits/" title="Last Commit">
+    <img src="https://img.shields.io/github/last-commit/eu-digital-green-certificates/dgca-validation-decorator?style=flat">
+  </a>
+  <a href="/../../issues" title="Open Issues">
+    <img src="https://img.shields.io/github/issues/eu-digital-green-certificates/dgca-validation-decorator?style=flat">
+  </a>
+  <a href="./LICENSE" title="License">
+    <img src="https://img.shields.io/badge/License-Apache%202.0-green.svg?style=flat">
+  </a>
+</p>
+
+<p align="center">
+  <a href="#about">About</a> •
+  <a href="#development">Development</a> •
+  <a href="#documentation">Documentation</a> •
+  <a href="#support-and-feedback">Support</a> •
+  <a href="#how-to-contribute">Contribute</a> •
+  <a href="#licensing">Licensing</a>
+</p>
+
+## About
+
+This repository contains the source code of the EU Digital COVID Certificate Validation Decorator.
+
+The Validation Decorator is an interface between the [validation service](https://github.com/eu-digital-green-certificates/dgca-validation-service) and an internal [backend system](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend) (demo) for the exchange of digital covid certificate information.
+
+The validation has complex work flow that involves
+
+- [dgca-validation-service](https://github.com/eu-digital-green-certificates/dgca-validation-service) - additional service on travel system 
+- [dgca-booking-demo](https://github.com/eu-digital-green-certificates/dgca-booking-demo) - travel system mock
+- [dgca-booking-demo-frontend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-frontend)
+- [dgca-verifier-app-android](https://github.com/eu-digital-green-certificates/dgca-verifier-app-android) - provide dcc
+- [dgca-booking-demo-backend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend)
+
+## Development
+
+### Prerequisites
+
+- [Open JDK 11](https://openjdk.java.net)
+- [Maven](https://maven.apache.org)
+- [Docker](https://www.docker.com)
+- Authenticate to [Github Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)
+
+#### Authenticating in to GitHub Packages
+
+As some of the required libraries (and/or versions are pinned/available only from GitHub Packages) You need to authenticate
+to [GitHub Packages](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry)
+The following steps need to be followed
+
+- Create [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with scopes:
+    - `read:packages` for downloading packages
+
+##### GitHub Maven
+
+- Copy/Augment `~/.m2/settings.xml` with the contents of `settings.xml` present in this repository
+    - Replace `${app.packages.username}` with your github username
+    - Replace `${app.packages.password}` with the generated PAT
+
+##### GitHub Docker Registry
+
+- Run `docker login docker.pkg.github.com/eu-digital-green-certificates` before running further docker commands.
+    - Use your GitHub username as username
+    - Use the generated PAT as password
+
+### Build
+
+Whether you cloned or downloaded the 'zipped' sources you will either find the sources in the chosen checkout-directory or get a zip file with the source code, which you can expand to a folder of your choice.
+
+In either case open a terminal pointing to the directory you put the sources in. The local build process is described afterwards depending on the way you choose.
+
+### Build with maven
+* Check [settings.xml](settings.xml) in root folder and copy the servers to your own `~/.m2/settings.xml` to connect the GitHub repositories we use in our code. Provide your GitHub username and access token (see [GitHub Help](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token)) under the variables suggested.
+* Run `mvn clean package` from the project root folder
+
+### Run with docker
+* Perform maven build as described above
+* Run `docker-compose up` from the project root folder
+
+After all containers have started you will be able to reach the application on your [local machine](http://localhost:8080/dgci/status) under port 8080.
+## Documentation
+
+The Validation Decorator is a template. To make your own adjustments, the three interfaces `KeyProvider`, `BackendRepository` and `AccessTokenPayloadBuilder` should be implemented.
+
+`KeyProvider` provides the necessary keys and certificates. Separate keys for JWT, certificates for Validation Service and others are provided.
+
+`BackendRepository` provides the interface to the internal service. In this example [dgca-booking-demo-backend](https://github.com/eu-digital-green-certificates/dgca-booking-demo-backend) is connected and should demonstrate an airline.
+
+`AccessTokenPayloadBuilder` basically serves as a converter to create the `AccessTokenPayload` from the given data.
+
+## Support and feedback
+
+The following channels are available for discussions, feedback, and support requests:
+
+| Type                     | Channel                                                |
+| ------------------------ | ------------------------------------------------------ |
+| **Issues**    | <a href="/../../issues" title="Open Issues"><img src="https://img.shields.io/github/issues/eu-digital-green-certificates/dgca-validation-decorator?style=flat"></a>  |
+| **Other requests**    | <a href="mailto:[email protected]" title="Email DGC Team"><img src="https://img.shields.io/badge/email-DGC%20team-green?logo=mail.ru&style=flat-square&logoColor=white"></a>   |
+
+## How to contribute  
+
+Contribution and feedback is encouraged and always welcome. For more information about how to contribute, the project structure, 
+as well as additional contribution information, see our [Contribution Guidelines](./CONTRIBUTING.md). By participating in this 
+project, you agree to abide by its [Code of Conduct](./CODE_OF_CONDUCT.md) at all times.
+
+## Licensing
+
+Copyright (C) 2021 T-Systems International GmbH and all other contributors
+
+Licensed under the **Apache License, Version 2.0** (the "License"); you may not use this file except in compliance with the License.
+
+You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" 
+BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the [LICENSE](./LICENSE) for the specific 
+language governing permissions and limitations under the License.

owasp/suppressions.xml

@@ -29,7 +29,9 @@
     <cve>CVE-2021-22118</cve>
   </suppress>
   <suppress>
-    <!-- tomcat-embed-core-9.0.52.jar : CVE-2020-0822-->
+    <!-- tomcat-embed-core-9.0.52.jar: CVE-2020-0822 -->
 	<cve>CVE-2020-0822</cve>
+	<!-- tomcat-embed-core-9.0.52.jar: CVE-2021-42340 -->
+	<cve>CVE-2021-42340</cve> 
   </suppress>
 </suppressions>

pom.xml

@@ -35,10 +35,7 @@
     	<bcpkix.version>1.68</bcpkix.version>
     	<okhttp.version>4.9.1</okhttp.version>
     	<shedlock.version>4.25.0</shedlock.version>
-        <nimbusds.version>9.9.2</nimbusds.version>
         <dgc.lib.version>1.1.3</dgc.lib.version>
-        <dgc-certlogic.version>0.0.0-3834d93</dgc-certlogic.version>
-        <dgc-decoder.version>0.1</dgc-decoder.version>
         <!-- plugins -->
         <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
         <plugin.sonar.version>3.9.0.2155</plugin.sonar.version>
@@ -213,16 +210,6 @@
             <artifactId>spring-security-web</artifactId>
             <version>${spring.security.version}</version><!--$NO-MVN-MAN-VER$-->
         </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-certlogic</artifactId>
-            <version>${dgc-certlogic.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>eu.europa.ec.dgc</groupId>
-            <artifactId>dgc-decoder</artifactId>
-            <version>${dgc-decoder.version}</version>
-        </dependency>
         <dependency>
             <groupId>io.jsonwebtoken</groupId>
             <artifactId>jjwt</artifactId>
@@ -236,11 +223,6 @@
             <groupId>com.sap.hcp.cf.logging</groupId>
             <artifactId>cf-java-logging-support-logback</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.nimbusds</groupId>
-            <artifactId>nimbus-jose-jwt</artifactId>
-            <version>${nimbusds.version}</version><!--$NO-MVN-MAN-VER$-->
-        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk15on</artifactId>

src/main/java/eu/europa/ec/dgc/validation/decorator/config/DccVerificationConfig.java

@@ -20,17 +20,8 @@
 
 package eu.europa.ec.dgc.validation.decorator.config;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
-import dgca.verifier.app.decoder.JsonSchemaKt;
-import dgca.verifier.app.engine.AffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.CertLogicEngine;
-import dgca.verifier.app.engine.DefaultAffectedFieldsDataRetriever;
-import dgca.verifier.app.engine.DefaultCertLogicEngine;
-import dgca.verifier.app.engine.DefaultJsonLogicValidator;
-import dgca.verifier.app.engine.JsonLogicValidator;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -50,22 +41,4 @@ public ObjectMapper objectMapper() {
         objectMapper.registerModule(new JavaTimeModule());
         return objectMapper;
     }
-
-    @Bean
-    public AffectedFieldsDataRetriever affectedFieldsDataRetriever(ObjectMapper objectMapper)
-            throws JsonProcessingException {
-        JsonNode jsonNode = objectMapper.readTree(JsonSchemaKt.JSON_SCHEMA_V1);
-        return new DefaultAffectedFieldsDataRetriever(jsonNode, objectMapper);
-    }
-
-    @Bean
-    public JsonLogicValidator jsonLogicValidator() {
-        return new DefaultJsonLogicValidator();
-    }
-
-    @Bean
-    public CertLogicEngine certLogicEngine(AffectedFieldsDataRetriever affectedFieldsDataRetriever,
-            JsonLogicValidator jsonLogicValidator) {
-        return new DefaultCertLogicEngine(affectedFieldsDataRetriever, jsonLogicValidator);
-    }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/controller/CallbackController.java

@@ -21,12 +21,11 @@
 package eu.europa.ec.dgc.validation.decorator.controller;
 
 import eu.europa.ec.dgc.validation.decorator.dto.CallbackRequest;
-import eu.europa.ec.dgc.validation.decorator.service.AccessTokenService;
 import eu.europa.ec.dgc.validation.decorator.service.BackendService;
+import io.jsonwebtoken.JwtException;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
-import java.util.Map;
 import javax.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -47,10 +46,8 @@ public class CallbackController {
 
     private static final String PATH = "/callback/{subject}";
 
-    private final AccessTokenService accessTokenService;
-
     private final BackendService backendService;
-    
+
     /**
      * Callback endpoint receives the validation result to a subject.
      * 
@@ -61,30 +58,25 @@ public class CallbackController {
     @ApiResponses(value = {
         @ApiResponse(responseCode = "200", description = "OK"),
         @ApiResponse(responseCode = "401", description = "Unauthorized, if Result Token was not correctly signed"),
-        @ApiResponse(responseCode = "404", description = "Not Found"),
         @ApiResponse(responseCode = "410", description = "Gone. Subject does not exist anymore"),
         @ApiResponse(responseCode = "500", description = "Internal Server Error")
     })
-    @PutMapping(value = PATH, consumes = MediaType.APPLICATION_JSON_VALUE)
+    @PutMapping(value = PATH, consumes = { "application/jwt", MediaType.TEXT_PLAIN_VALUE })
     public ResponseEntity callback(
             @PathVariable(value = "subject", required = true) final String subject,
-            @RequestHeader("Authorization") final String token,
-            @RequestHeader("X-Version") final String version, 
-            @Valid @RequestBody final CallbackRequest request) {
-        log.debug("Incoming PUT request to '{}' with subject '{}'", PATH, subject);
-
-        if (this.accessTokenService.isValid(token)) {
-            final Map<String, Object> tokenContent = this.accessTokenService.parseAccessToken(token);
-            if (tokenContent.containsKey("sub") && tokenContent.get("sub") instanceof String) {
-
-                this.backendService.saveResult(subject, request);
-                return ResponseEntity.ok()
-                        .cacheControl(CacheControl.noCache())
-                        .build();
-            }
+            @RequestHeader("X-Version") final String version,
+            @Valid @RequestBody final String body) {
+        log.debug("Incoming PUT request to '{}' with subject '{}' and bldy '{}'", PATH, subject, body);
+        try {
+            final CallbackRequest request = this.backendService.parseRequest(subject, body);
+            this.backendService.saveResult(subject, request);    
+            return ResponseEntity.ok()
+                    .cacheControl(CacheControl.noCache())
+                    .build();
+        } catch (JwtException e) {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .cacheControl(CacheControl.noCache())
+                    .build();
         }
-        return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
-                .cacheControl(CacheControl.noCache())
-                .build();
     }
 }

src/main/java/eu/europa/ec/dgc/validation/decorator/controller/DccTokenController.java

@@ -79,7 +79,7 @@ public ResponseEntity<String> token(
             final Map<String, Object> tokenContent = this.accessTokenService.parseAccessToken(token);
             if (tokenContent.containsKey("sub") && tokenContent.get("sub") instanceof String) {
                 final String subject = (String) tokenContent.get("sub");
-                final AccessTokenPayload accessTockenPayload = dccTokenService
+                final AccessTokenPayload accessTockenPayload = this.dccTokenService
                         .getAccessTockenForValidationService(dccToken, subject);
                 final String accessToken = this.accessTokenService.buildAccessToken(accessTockenPayload);
 

src/main/java/eu/europa/ec/dgc/validation/decorator/dto/CallbackRequest.java

@@ -20,12 +20,14 @@
 
 package eu.europa.ec.dgc.validation.decorator.dto;
 
+import com.fasterxml.jackson.annotation.JsonProperty;
 import java.util.List;
 import lombok.Data;
 
 @Data
 public class CallbackRequest {
 
+    @JsonProperty("iss")
     private String issuer;
 
     private Long iat;

src/main/java/eu/europa/ec/dgc/validation/decorator/entity/ServiceResultRequest.java

@@ -59,5 +59,5 @@ public static final class ResultRequest {
         private String type;
 
         private String details;
-    }    
+    }
 }